imagestore.blogg.se - Outputs conf splunk

OUTPUTS CONF SPLUNK HOW TO
OUTPUTS CONF SPLUNK WINDOWS

Events containing the word "error" to a second target group.

Events with a source type of "syslog" to a load-balanced target group.

The forwarder filters and routes according to these criteria: In this example, a heavy forwarder filters three types of events and routes them to different target groups. The use cases described in this topic follow this pattern.įilter and route event data to target groups

You can set the IP address and port to match the receiving server.

You can set to match the name you specified in nf.

Edit $SPLUNK_HOME/etc/system/local/nf to define the target groups for the routed data.

A comma separated list clones events to multiple target groups. If you specify more than one target group, use commas to separate them.

Set FORMAT to a that matches a target group name you defined in nf.

DEST_KEY should be set to _TCP_ROUTING to send events via TCP.

" if you don't need additional filtering beyond the metadata specified in nf.

In, enter the regular expression rules that determine which events get routed.

must match the name you defined in nf.

Edit $SPLUNK_HOME/etc/system/local/nf to specify target groups and set additional criteria for routing based on event patterns.

OUTPUTS CONF SPLUNK HOW TO

Use the specified here when creating an entry in nfĮxamples later in this topic show how to use this syntax. For example: "TRANSFORMS-routing1", "TRANSFORMS-routing2", and so on. If you have multiple TRANSFORMS attributes, use a unique name for each.source::, where is the source for an event.host::, where is the host for an event.Edit $SPLUNK_HOME/etc/system/local/nf to add a TRANSFORMS-routing setting to determine routing based on event metadata.On the Splunk instance that does the routing, open a shell or command prompt.How will you identify categories of events?.Determine the criteria to use for routing by answering the following questions:.You can configure routing only on a heavy forwarder. Some input types can filter out data types while acquiring them.Ī simple illustration of a forwarder routing data to three indexers follows: They can also route based on the stanza for a data input, as described below, in the subtopic, Route inputs to specific indexers based on the data input. They can still forward data based on a host, source, or source type. Universal and light forwarders cannot inspect individual events except in the case of extracting fields with structured data. Only heavy forwarders can route or filter all data based on events. This topic describes a number of typical routing scenarios.īesides routing to receivers, heavy forwarders can also filter and route data to specific queues, or discard the data altogether by routing to the null queue.

OUTPUTS CONF SPLUNK WINDOWS

For example, you could use a heavy forwarder to inspect WMI event codes to filter or route Windows events. Heavy forwarders can also look inside the events and filter or route accordingly. For example, you can send all data from one group of machines to one indexer and all data from a second group of machines to a second indexer. Heavy forwarders can filter and route data to specific receivers based on source, source type, or patterns in the events themselves. Routing and filtering capabilities of forwarders You can also perform selective indexing and forwarding, where you index some data locally and forward the data that you have not indexed to a separate indexer.įor information on routing data to non-Splunk systems, see Forward data to third-party systems.įor information on performing selective indexing and forwarding, see Perform selective indexing and forwarding later in this topic. You can use heavy forwarders to filter and route event data to Splunk instances.